What is claimed is: 

1 . A method of improving security policy administration and enforcement using a role- 
permission model, comprising steps of: 

identifying one or more groups of permitted actions on selected resources; 
assigning a name to each identified group; 

defining each assigned name to a security system as a security object; and 
associating subjects with each assigned name. 

2. The method according to Claim 1 7 wherein the assigned name is a role name. 

3. The method according to Claim 1, wherein the selected resources are executable methods. 

4. The method according to Claim 1, wherein the selected resources are columns of a 
database table. 

5. The method according to Claim 1, wherein the selected resources are rows of a database 
table. 

6. The method according to Claim 1, wherein the selected resources are files and the 
permitted actions are file access operations. 



7. The method according to Claim 1, wherein the selected resources are function calls to 
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2 functions of one or more executable programs. 

1 8. The method according to Claim 1, wherein the selected resources are Enterprise 

2 JavaBeans ("EJBs") and the permitted actions are methods on the EJBs. 

1 9. The method according to Claim 1 ? wherein the selected resources are servlets and the 

2 permitted actions are methods of the servlets. 



1 Ijp 10. The method according to Claim 1, wherein the selected resources are Uniform Resource 

2 ,p Identifiers ( cc URIs") and the permitted actions are methods which reference the URIs. 



1 \ " 11. The method according to Claim 1, wherein the selected resources are JavaServer Pages 
2ijj ("JSPs") and the permitted actions are methods referenced from the JSPs. 
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1 M* 12. The method according to Claim 1, wherein the selected resources are any resource that is 

2 expressible to the security system and the permitted actions are selected from a set of actions that 

3 are permitted on those resources. 



1 13. The method according to Claim 1, further comprising the steps of: 

2 receiving an access request for a particular one of the selected resources; 

3 determining one or more roles which are required for accessing the particular resource; 

4 determining an identity of a source of the access request; 
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for each of the required roles, until obtaining a successful result or exhausting the required 
roles, determining whether the identity of the source is associated with the required role; and 
authorizing access to the particular resource only if the successful result was obtained. 

14. The method according to Claim 13, wherein the step of determining the one or more roles 
further comprises consulting a collection created from the identified permitted actions on the 
particular resource. 

15. A system for improving security policy administration and enforcement in a computing 
network using a role-permission model, comprising: 

means for identifying one or more groups of permitted actions on selected resources; 
means for assigning a name to each identified group; 

means for defining each assigned name to a security system as a security object; and 
means for associating subjects with each assigned name. 

16. The system according to Claim 1 5, further comprising: 

means for receiving an access request for a particular one of the selected resources; 
means for determining one or more roles which are required for accessing the particular 
resource; 

means for determining an identity of a source of the access request; 
for each of the required roles, until obtaining a successful result or exhausting the required 
roles, means for determining whether the identity of the source is associated with the required 
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role; and 

means for authorizing access to the particular resource only if the successful result was 
obtained. 

17. A computer program product for improving security policy administration and 
enforcement in a computing network using a role-permission model, the computer program 
product embodied on one or more computer readable media and comprising: 

computer readable program code means for identifying one or more groups of permitted 
actions on selected resources; 

computer readable program code means for assigning a name to each identified group; 

computer readable program code means for defining each assigned name to a security 
system as a security object; and 

computer readable program code means for associating subjects with each assigned name. 

18. The computer program product according to Claim 17, further comprising: 
computer readable program code means for receiving an access request for a particular 

one of the selected resources; 

computer readable program code means for determining one or more roles which are 
required for accessing the particular resource; 

computer readable program code means for determining an identity of a source of the 
access request; 

for each of the required roles, until obtaining a successful result or exhausting the required 
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roles, computer readable program code means for determining whether the identity of the source 
is associated with the required role; and 

computer readable program code means for authorizing access to the particular resource 
only if the successful result was obtained. 
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